Shorewall 2.0.2a plus restore tweaks

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1332 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-05-16 17:52:54 +00:00 · 2004-05-16 17:52:54 +00:00 · 7ddf61f0b3
commit 7ddf61f0b3
parent b6f49d77ac
9 changed files with 122 additions and 324 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -1,61 +1,8 @@
-Changes since 2.0.1
+Changes since 2.0.2
-1) Reformat the code in define_firewall().
+1) Remove restore files; don't generate them for non-statechanging
   commands.
-2) Reimplement dynamic zones.
+2) Restore file now loads kernel modules.
-3) Tweak new dynamic zone implementation.
+3) Minor tweaks to the restore mechanism.
 4) Implement CONFIG_PATH.
 5) Apply Stijn Jonker's fix for CONFIG_PATH.
 6) Restore logic to make 'find_file' check for SHOREWALL_DIR separately.
 7) Allow CONFIG_PATH to be inherited.
 8) Fix ensure_config_path call.
 9) Make LOCAL and ALL INTERFACES independent in the nat file.
 10) Add "ko.gz" to the vast list of module suffixes that distributions
    have invented.
 11) Update the bogons file
 12) Added example for log rate limiting knobs in shorewall.conf.
 13) Fix init.debian.sh.
 14) Implement the -q option.
 15) Add saved configuration support (iptables-save/iptables-restore
    integration).
 16) Use modprobe if it is available.
 17) Lots of fixes to 'save'
 18) 'shorewall forget'
 19) SNAT/MASQUERADE by proto/port(s)
 20) Shorewall 2.0.2 Beta 1 changes.
 21) Fix ALL INTERFACES column parsing.
 22) Correct "shorewall delete" processing.
 23) Apply Alex Wilms's patch for install.sh
 24) Add ACCEPT+ and NONAT targets.
 25) Added 'initialized' extension script.
 26) Renamed 'initialized' to 'initdone'
 27) Applied Stijn Jonker's fix for "shorewall add"
 28) Correct typo that broke "shorewall delete"
 29) Apply Stijn Jonker's -q fix.
--- a/Shorewall2/fallback.sh
+++ b/Shorewall2/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=2.0.2
+VERSION=2.0.2a
 usage() # $1 = exit status
 {
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -87,6 +87,7 @@ startup_error() # $* = Error Message
    echo "   Error: $@" >&2
    my_mutex_off
    [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
    rm -f /var/lib/shorewall/restore-$$
    kill $$
    exit 2
 }
@ -135,9 +136,9 @@ ensure_and_save_command()
 # Append a file to /var/lib/shorewall/restore-$$
 #
 append_file() {
-    save_command "cat > $STATEDIR/$1 << EOF"
+    save_command "cat > $STATEDIR/$1 << __EOF__"
    cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$
-    save_command EOF
+    save_command __EOF__
 }
 #
@ -1177,6 +1178,9 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
 # Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING
 #
 setup_forwarding() {
    save_command "echo Restoring IP Forwarding..."
    case "$IP_FORWARDING" in
    [Oo][Nn])
 	run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
@ -1197,6 +1201,7 @@ disable_ipv6() {
    if [ -n "$foo" ]; then
 	if qt which ip6tables; then
 	    save_command "echo Disabling IPV6..."
 	    ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
 	    ip6tables -P INPUT DROP   && save_command ip6tables -P INPUT DROP
 	    ip6tables -P OUTPUT DROP  && save_command ip6tables -P OUTPUT DROP
@ -1213,6 +1218,9 @@ stop_firewall() {
    #
    # Turn off trace unless we were tracing "stop" or "clear"
    #
    rm -f /var/lib/shorewall/restore-$$
    case $COMMAND in
 	stop|clear)
 	    ;;
@ -1222,8 +1230,6 @@ stop_firewall() {
 	    ;;
 	*)
 	    set +x
 	    rm -f /var/lib/shorewall/restore-$$
 	    if [ -f /var/lib/shorewall/restore ]; then
 		echo Restoring Shorewall...
 		. /var/lib/shorewall/restore
@ -1638,6 +1644,8 @@ setup_proxy_arp() {
    > ${STATEDIR}/proxyarp
    save_command "echo Restoring Proxy ARP..."
    while read address interface external haveroute persistent; do
 	expandv address interface external haveroute persistent
 	setup_one_proxy_arp
@ -1838,6 +1846,8 @@ setup_nat() {
    #
    > ${STATEDIR}/nat
    save_command "echo Restoring one-to-one NAT..."
    while read external interface internal allints localnat; do
 	expandv external interface internal allints localnat
@ -2093,6 +2103,8 @@ setup_tc1() {
    run_iptables -t mangle -A OUTPUT     -j tcout
    run_user_exit tcstart
    save_command "echo Restoring Traffic Control..."
    save_command . $(find_file tcstart)
 }
@ -2325,6 +2337,7 @@ check_config() {
    process_actions2
    rm -rf $TMP_DIR
    rm -f /var/lib/shorewall/restore-$$
    echo "Configuration Validated"
@ -3842,42 +3855,6 @@ process_tos() # $1 = name of tos file
    run_iptables -t mangle -A OUTPUT	 -j outtos
 }
 #
 # Load a Kernel Module
 #
 loadmodule() # $1 = module name, $2 - * arguments
 {
    local modulename=$1
    local modulefile
    local suffix
    moduleloader=modprobe
    if ! qt which modprobe; then 
 	moduleloader=insmod
    fi
    if [ -z "$(lsmod | grep $modulename)" ]; then
 	shift
 	for suffix in $MODULE_SUFFIX ; do
 	    modulefile=$MODULESDIR/${modulename}.${suffix}
 	    if [ -f $modulefile ]; then
 		case $moduleloader in
 		    insmod)
 			insmod $modulefile $*
 			;;
 		    *)
 			modprobe $modulename
 			;;
 		esac
 		return
 	    fi
 	done
    fi
 }
 #
 # Display elements of a list with leading white space
 #
@ -4318,7 +4295,7 @@ setup_masq()
    strip_file masq $1
-    [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:"
+    [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_command "echo Restoring Masquerading/SNAT..."
    while read fullinterface networks addresses proto ports; do
 	expandv fullinterface networks addresses proto ports
@ -4540,6 +4517,8 @@ add_ip_aliases()
    set -- $aliases_to_add
    save_command "echo Restoring IP Addresses..."
    while [ $# -gt 0 ]; do
 	external=$1
 	interface=$2
@ -4570,6 +4549,22 @@ load_kernel_modules() {
    if [ -f $modules -a -d $MODULESDIR ]; then
 	echo "Loading Modules..."
 	. $modules
 	if [ "$command" != check ]; then
 	    save_command "echo Loading kernel modules..."
 	    save_command "reload_kernel_modules <<__EOF__"
 	    while read command; do
 		case "$command" in
 		loadmodule*)
 		    save_command $command
 		    ;;
 		esac
 	    done < $modules
 	    save_command __EOF__
 	fi
    fi
 }
@ -5033,6 +5028,8 @@ add_common_rules() {
    #
    # ARP Filtering
    #
    save_command "echo Restoring ARP filtering..."
    for f in /proc/sys/net/ipv4/conf/*/arp_filter; do
 	run_and_save_command "echo 0 > $f"
    done
@ -5060,6 +5057,8 @@ add_common_rules() {
    if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
 	echo "Setting up Kernel Route Filtering..."
 	save_command "echo Restoring Route Filtering..."
 	for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
 	    run_and_save_command "echo 0 > $f"
 	done
@ -5420,6 +5419,14 @@ define_firewall() # $1 = Command (Start or Restart)
    verify_os_version
    verify_ip
    echo '#bin/sh' > /var/lib/shorewall/restore-$$
    save_command "# Restore base file generated $(date)"
    save_command ". /usr/share/shorewall/functions"
    save_command "MODULESDIR=\"$MODULESDIR\""
    save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\""
    load_kernel_modules
    echo "Initializing...";                    initialize_netfilter
@ -5472,7 +5479,9 @@ define_firewall() # $1 = Command (Start or Restart)
    save_command "date > $STATEDIR/restarted"
-    save_command 'iptables-restore << EOF'
+    save_command "echo Restoring Netfilter Configuration..."
    save_command 'iptables-restore << __EOF__'
    # 'shorewall save' appends the iptables-save output and 'EOF'
@ -6078,8 +6087,6 @@ do_initialize() {
    rm -f $TMP_DIR/physdev
    echo '#bin/sh' > /var/lib/shorewall/restore-$$
    echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$
 }
 #
--- a/Shorewall2/functions
+++ b/Shorewall2/functions
@ -162,6 +162,55 @@ separate_list() {
    echo "$newlist"
 }
 #
 # Load a Kernel Module
 #
 loadmodule() # $1 = module name, $2 - * arguments
 {
    local modulename=$1
    local modulefile
    local suffix
    moduleloader=modprobe
    if ! qt which modprobe; then 
 	moduleloader=insmod
    fi
    if [ -z "$(lsmod | grep $modulename)" ]; then
 	shift
 	for suffix in $MODULE_SUFFIX ; do
 	    modulefile=$MODULESDIR/${modulename}.${suffix}
 	    if [ -f $modulefile ]; then
 		case $moduleloader in
 		    insmod)
 			insmod $modulefile $*
 			;;
 		    *)
 			modprobe $modulename $*
 			;;
 		esac
 		return
 	    fi
 	done
    fi
 }
 #
 # Reload the Modules
 #
 reload_kernel_modules() {
    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
    while read command; do 
 	eval $command
    done
 }
 #
 # Find the zones
 #
--- a/Shorewall2/install.sh
+++ b/Shorewall2/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
-VERSION=2.0.2
+VERSION=2.0.2a
 usage() # $1 = exit status
 {
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -1,227 +1,20 @@
-Shorewall 2.0.2
+Shorewall 2.0.3 Beta 1
 ----------------------------------------------------------------------
-Problems Corrected since 2.0.1
+Problems Corrected since 2.0.2
-1) The /etc/init.d/shorewall script installed on Debian by install.sh
+1) The 'firewall' script is not purging temporary restore files in
-   failed silently due to a missing file
+   /var/lib/shorewall. These files have names of the form
-   (/usr/share/shorewall/wait4ifup). That file is not part of the
+   "restore-nnnnn".
   normal Shorewall distribution and is provided by the Debian
   maintainer.
-2) A meaningless warning message out of the proxyarp file processing
+2) The /var/lib/shorewall/restore script did not load the kernel
-   has been eliminated.
+   modules specified in /etc/shorewall/modules.
 3) The "shorewall delete" command now correctly removes all dynamic 
   rules pertaining to the host(s) being deleted. Thanks to Stefan 
   Engel for this correction.
 -----------------------------------------------------------------------
-Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:
+Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
-1) Extension Scripts
+None.
   In order for extension scripts to work properly with the new
   iptables-save/restore integration (see New Feature 1 below), some
   change may be required to your extension scripts.
   If your extension scripts are executing commands other than iptables
   then those commands must also be written to the restore file (a
   temporary file in /var/lib/shorewall that is renamed
   /var/lib/shorewall/restore-base at the end of the operation).
   The following functions should be of help:
   A. save_command() -- saves the passed command to the restore file.
   Example:
    save_command echo Operation Complete
   That command would simply write "echo Operation Complete" to the
   restore file.
   B. run_and_save_command() -- saves the passed command to the restore
   file then executes it. The return value is the exit status of the
   command.
   Example: 
     run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
   Note that as in this example, when the command involves file
   redirection then the entire command must be enclosed in quotes. This
   applies to all of the functions described here.
   C. ensure_and_save_command() -- runs the passed command. If the
   command fails, the firewall is restored to it's prior saved state
   and the operation is terminated. If the command succeeds, the
   command is written to the restore file.
 2) Dynamic Zone support.
   If you don't need to use the "shorewall add" and "shorewall delete"
   commands, you should set DYNAMIC_ZONES=No in
   /etc/shorewall/shorewall.conf.
 New Features:
-1) Shorewall has now been integrated with
+None.
   iptables-save/iptables-restore to provide very fast start and
   restart. The elements of this integration are as follows:
   a) The 'shorewall save' command now saves the current configuration
      in addition to the current dynamic blacklist. If you have
      dynamic zones, you will want to issue 'shorewall save' when the
      zones are empty or the current contents of the zones will be
      restored by the 'shorewall restore' and 'shorewall -f start'
      commands.
   b) The 'shorewall restore' command has been added. This command
      restores the configuration at the time of the last 'save'.
   c) The -f (fast) option has been added to 'shorewall start'. When
      specified (e.g. 'shorewall -f start'), shorewall will perform a
      'shorewall restore' if there is a saved configuration. If there
      is no saved configuration, a normal 'shorewall start' is
      performed.
   d) The /etc/init.d/shorewall script now translates the 'start'
      command into 'shorewall -f start' so that fast restart is
      possible.
   e) When a state-changing command encounters an error and there is a
      current saved configuration, that configuration will be restored
      (currently, the firewall is placed in the 'stopped' state).
   f) If you have previously saved the running configuration and want
      Shorewall to discard it, use the 'shorewall forget' command.
   WARNING: iptables 1.2.9 is broken with respect to iptables-save;
   If your kernel has connection tracking match support, you must
   patch iptables 1.2.9 with the iptables patch availale from
   the Shorewall errata page.
 2) The previous implementation of dynamic zones was difficult to
   maintain. I have changed the code to make dynamic zones optional
   under the control of the DYNAMIC_ZONES option in
   /etc/shorewall/shorewall.conf.
 3) In earlier Shorewall 2.0 releases, Shorewall searches in order the
   following directories for configuration files.
   a) The directory specified in a 'try' command or specified using
      the -c option.
   b) /etc/shorewall
   c) /usr/share/shorewall
   In this release, the CONFIG_PATH option is added to shorewall.conf.
   CONFIG_PATH contains a list of directory names separated by colons
   (":"). If not set or set to a null value (e.g., CONFIG_PATH="") then
   "CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed.
   Now Shorewall searches for shorewall.conf according to the old
   rules and for other configuration files as follows:
   a) The directory specified in a 'try' command or specified using
      the -c option.
   b) Each directory in $CONFIG_PATH is searched in sequence.
   In case it is not obvious, your CONFIG_PATH should include
   /usr/share/shorewall and your shorewall.conf file must be in the
   directory specified via -c or in a try command, in /etc/shorewall
   or in /usr/share/shorewall.
   For distribution packagers, the default CONFIG_PATH is set in
   /usr/share/shorewall/configpath. You can customize this file to
   have a default that differs from mine.
 4) Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column
   would only take effect if the ALL INTERFACES column also contained
   Yes or yes. Now, the LOCAL columns contents are treated
   independently of the contents of the ALL INTERFACES column.
 5) The folks at Mandrake have created yet another kernel module
   naming convention (module names end in "ko.gz"). As a consequence,
   beginning with this release, if MODULE_SUFFIX isn't specified in
   shorewall.conf, then the default value is "o gz ko o.gz ko.gz".
 6) An updated bogons file is included in this release.
 7) In /etc/shorewall/rules and in action files generated from
   /usr/share/shorewall/action.template, rules that perform logging can
   specify an optional "log tag". A log tag is a string of alphanumeric
   characters and is specified by following the log level with ":" and
   the log tag.
   Example:
 	ACCEPT:info:ftp	net	dmz	tcp	21
   The log tag is appended to the log prefix generated by the LOGPREFIX
   variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log
   prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will
   generate "Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank). 
   The maximum length of a log prefix supported by iptables is 29
   characters; if a larger prefix is generated, Shorewall will issue a
   warning message and will truncate the prefix to 29 characters.
 8) A new "-q" option has been added to /sbin/shorewall commands. It
   causes the start, restart, check and refresh commands to produce
   much less output so that warning messages are more visible (when
   testing this change, I discovered a bug where a bogus warning
   message was being generated).
 9) Shorewall now uses 'modprobe' to load kernel modules if that utility
   is available in the PATH; otherwise, 'insmod' is used.
 10) It is now possible to restrict entries in the /etc/shorewall/masq
    file to particular protocols and destination port(s). Two new
    columns (PROTO and PORT(S)) have been added to the file.
    Example:
    You want all outgoing SMTP traffic entering the firewall
    on eth1 to be sent from eth0 with source IP address 
    206.124.146.177. You want all other outgoing traffic 
    from eth1 to be sent from eth0 with source IP address
    206.124.146.176.
 	eth0	eth1	206.124.146.177	tcp	25
 	eth0	eth1	206.124.146.176
    THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
    Assuming that 10.0.0.0/8 is the only host/network connected
    to eth1, the progress message at "shorewall start" would be:
    Masqueraded Networks and Hosts:
       To 0.0.0.0/0 (tcp 25) from 10.0.0.0/8 through eth0 using 206.124.146.177
       To 0.0.0.0/0 (all) from 10.0.0.0/8 through eth0 using 206.124.146.176
 11) Two new actions are available in the /etc/shorewall/rules file.
    ACCEPT+    -- Behaves like ACCEPT with the exception that it exempts
                  matching connections from subsequent DNAT[-] and
                  REDIRECT[-] rules.
    NONAT      -- Exempts matching connections from subsequent DNAT[-]
                  and REDIRECT[-] rules.
 12) A new extension script 'initdone' has been added. This script is invoked
    at the same point as the 'common' script was previously and is useful for
    users who mis-used that script under Shorewall 1.x (the script was intended 
    for adding rules to the 'common' chain but many users treated it as a script
    for adding rules before Shorewall's).
 13) Installing/Upgrading Shorewall on Slackware has been
    improved. Slackware users must use the tarball and must modify
    settings in the install.sh script before running it as follows:
    DEST="/etc/rc.d"
    INIT="rc.firewall"
    Thanks to Alex Wilms for helping with this change.
--- a/Shorewall2/shorewall
+++ b/Shorewall2/shorewall
@ -974,7 +974,7 @@ case "$1" in
 		if [ -f /var/lib/shorewall/restore-base ]; then
 		    cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
 		    if iptables-save >> /var/lib/shorewall/restore-$$ ; then
-			echo EOF >> /var/lib/shorewall/restore-$$
+			echo __EOF__ >> /var/lib/shorewall/restore-$$
 			mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore
 			chmod +x /var/lib/shorewall/restore
 			echo "   Currently-running Configuration Saved"
--- a/Shorewall2/shorewall.spec
+++ b/Shorewall2/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 2.0.2
+%define version 2.0.2a
 %define release 1
 %define prefix /usr
@ -141,6 +141,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Sat May 15 2004 Tom Eastep tom@shorewall.net
 - Updated for 2.0.2a-1
 * Thu May 13 2004 Tom Eastep tom@shorewall.net
 - Updated for 2.0.2-1
 * Mon May 10 2004 Tom Eastep tom@shorewall.net
--- a/Shorewall2/uninstall.sh
+++ b/Shorewall2/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=2.0.2
+VERSION=2.0.2a
 usage() # $1 = exit status
 {